hzhang
57a1fa1b33
State machine driver + camp allocator + judge-submitted verdicts +
broadcast hook to Fabric announce channel.
internal/orchestrator/
- allocator.go: pure function implementing the 3-camp rule from the
2026-05-23 design session — for each camp (pro/con/judge), random
pick from volunteers; backfill unfilled camps from remaining
unallocated signups if pool is large enough; <3 final → cancel
with diagnostic reason. rng injected for test determinism.
- allocator_test.go: 7 tests covering empty/insufficient/single-volunteer
/multi-volunteer-no-dup/backfill/insufficient-backfill/large-pool
distinctness invariants. All pass.
- ticker.go: scans every 15s (configurable via ORCHESTRATOR_TICK_INTERVAL),
drives 3 state transitions atomically:
created → signup_open (post fabric announcement async)
signup_open → signup_closed | cancelled (run allocator, write camps)
signup_closed → debating (open round 0)
debating → completed is driven by the verdict POST handler (the
implicit "judging" sub-state is captured by the gate
status==debating AND now>=debate_end_at). Per-topic transitions
use SELECT FOR UPDATE so concurrent ticker instances are safe.
internal/fabric/announce.go: HTTP client posting to a Guild announce
channel using x-fabric-system-key header (the Phase 1 gate). Wraps
the formatted topic announcement (title/summary/timing/schema). All
4 config fields required to enable; any missing → no-op with log
(orchestrator runs fine without Fabric coupling for dev).
internal/store/{round,camp,argument,verdict}_store.go: CRUD layer
for the remaining v2 entities. CampStore.WriteAllocation accepts a
tx so the orchestrator can wrap allocator+camps+status into one
atomic transition.
internal/httpapi/handlers/arguments.go:
- POST /api/topics/{id}/arguments — agent posts during debate. Gates:
agent must be in a camp on this topic; status==debating; content
nonempty and <=32KB; attached to latest open round.
- GET /api/topics/{id}/arguments — full transcript, visibility-gated.
internal/httpapi/handlers/verdict.go:
- POST /api/topics/{id}/verdict — judge submits. Gates: caller==judge
camp; status==debating AND now>=debate_end_at; verdict valid JSON;
rationale required. On success: writes verdicts row (unique on
topic_id → 409 on dup) and flips topic.status to completed.
- GET /api/topics/{id}/verdict — visibility-gated.
config: 5 new env vars — FABRIC_GUILD_BASE_URL,
FABRIC_ANNOUNCE_CHANNEL_ID, FABRIC_SYSTEM_API_KEY,
FABRIC_BOT_BEARER_TOKEN, ORCHESTRATOR_TICK_INTERVAL.
routes.go: wired new handlers — POST signups/arguments/verdict gated
on agent bearer; GET arguments/verdict on optional-auth chain
(public topics readable anonymously).
main.go: instantiates announcer + ticker; ticker.Run in a goroutine
sharing the lifetime ctx.
go vet + gofmt clean; 7/7 allocator tests pass; 12M static binary.
Next: Phase 2E (deploy to t3 with nginx + CF origin cert) or
Phase 2D.5 (SSE stream for live transcript subscribers).
189 lines
6.3 KiB
Go
189 lines
6.3 KiB
Go
package httpapi
|
|
|
|
import (
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
chimw "github.com/go-chi/chi/v5/middleware"
|
|
"github.com/go-chi/cors"
|
|
"github.com/jmoiron/sqlx"
|
|
|
|
"git.hangman-lab.top/hzhang/Dialectic.Backend/internal/auth"
|
|
"git.hangman-lab.top/hzhang/Dialectic.Backend/internal/config"
|
|
"git.hangman-lab.top/hzhang/Dialectic.Backend/internal/httpapi/handlers"
|
|
"git.hangman-lab.top/hzhang/Dialectic.Backend/internal/store"
|
|
)
|
|
|
|
// Mount returns the root router with all v2 endpoints wired. Owners of
|
|
// individual middleware chains:
|
|
//
|
|
// - /api/healthz : public (no auth)
|
|
// - /api/topics : mixed — list/get optional auth (anon
|
|
// sees public only); create requires CallerAgent or CallerUser
|
|
// - /api/topics/{id}/signups : agent-only (CallerAgent)
|
|
//
|
|
// Browser-side OIDC and agent-side bearer middlewares co-exist on the
|
|
// same route by being "optional auth" — if either succeeds, Caller is
|
|
// attached; otherwise the handler sees anonymous and decides whether
|
|
// to 401 or fall through to public behavior.
|
|
func Mount(cfg *config.Config, db *sqlx.DB, version string) http.Handler {
|
|
r := chi.NewRouter()
|
|
|
|
// Boilerplate middleware — these run on every request.
|
|
r.Use(chimw.RealIP)
|
|
r.Use(chimw.RequestID)
|
|
r.Use(chimw.Logger)
|
|
r.Use(chimw.Recoverer)
|
|
r.Use(chimw.Timeout(30 * time.Second))
|
|
r.Use(cors.Handler(cors.Options{
|
|
AllowedOrigins: cfg.CORSAllowOrigins,
|
|
AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
|
|
AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "x-dev-bypass"},
|
|
ExposedHeaders: []string{},
|
|
AllowCredentials: true,
|
|
MaxAge: 300,
|
|
}))
|
|
|
|
// Auth middlewares — composed as "try agent, then user, else pass anonymous".
|
|
optionalAuth := optionalAuthChain(db, cfg)
|
|
requireAgent := auth.AgentAPIKey(db, cfg.AgentAPIKeyPepper) // strict bearer
|
|
requireAnyAuth := requireAnyAuthChain(db, cfg)
|
|
|
|
// Handler instances.
|
|
topicStore := store.NewTopicStore(db)
|
|
signupStore := store.NewSignupStore(db)
|
|
campStore := store.NewCampStore(db)
|
|
roundStore := store.NewRoundStore(db)
|
|
argStore := store.NewArgumentStore(db)
|
|
verdictStore := store.NewVerdictStore(db)
|
|
|
|
health := handlers.NewHealthHandler(db, version)
|
|
topicsH := handlers.NewTopicsHandler(topicStore)
|
|
signupsH := handlers.NewSignupsHandler(topicStore, signupStore)
|
|
argsH := handlers.NewArgumentsHandler(topicStore, campStore, roundStore, argStore)
|
|
verdictH := handlers.NewVerdictHandler(topicStore, campStore, verdictStore)
|
|
|
|
// Routes.
|
|
r.Route("/api", func(r chi.Router) {
|
|
r.Get("/healthz", health.Healthz)
|
|
|
|
// Topics: list+get optional-auth (visibility-gated by handler);
|
|
// create+visibility-flip require any auth.
|
|
r.Group(func(r chi.Router) {
|
|
r.Use(optionalAuth)
|
|
r.Get("/topics", topicsH.List)
|
|
r.Get("/topics/{id}", topicsH.Get)
|
|
r.Get("/topics/{id}/arguments", argsH.List)
|
|
r.Get("/topics/{id}/verdict", verdictH.Get)
|
|
})
|
|
r.Group(func(r chi.Router) {
|
|
r.Use(requireAnyAuth)
|
|
r.Post("/topics", topicsH.Create)
|
|
r.Put("/topics/{id}/visibility", topicsH.SetVisibility)
|
|
})
|
|
|
|
// Signups, arguments, verdict POST: agent-only.
|
|
r.Group(func(r chi.Router) {
|
|
r.Use(requireAgent)
|
|
r.Post("/topics/{id}/signups", signupsH.Create)
|
|
r.Post("/topics/{id}/arguments", argsH.Post)
|
|
r.Post("/topics/{id}/verdict", verdictH.Submit)
|
|
})
|
|
// List signups: any authenticated caller.
|
|
r.Group(func(r chi.Router) {
|
|
r.Use(requireAnyAuth)
|
|
r.Get("/topics/{id}/signups", signupsH.List)
|
|
})
|
|
})
|
|
|
|
return r
|
|
}
|
|
|
|
// optionalAuthChain: if either auth method succeeds, attach Caller;
|
|
// otherwise let the request through anonymous. Handlers decide what
|
|
// to do with anonymous (typically: serve public subset, hide private).
|
|
func optionalAuthChain(db *sqlx.DB, cfg *config.Config) func(http.Handler) http.Handler {
|
|
agent := auth.AgentAPIKey(db, cfg.AgentAPIKeyPepper)
|
|
oidc := auth.OIDCBrowser(cfg.IsDev(), cfg.OIDCDevBypassToken)
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// Bearer present → try agent path; on success it ServeHTTPs next.
|
|
// On failure it 401s, which we want to demote to "anonymous" for
|
|
// optional auth. The pattern is: capture the response; if it's
|
|
// 401, fall through to OIDC; if OIDC also 401s, finally fall
|
|
// through to next (anonymous).
|
|
if r.Header.Get("authorization") != "" {
|
|
rw := &captureWriter{ResponseWriter: w}
|
|
agent(next).ServeHTTP(rw, r)
|
|
if rw.status != http.StatusUnauthorized {
|
|
return
|
|
}
|
|
// reset captured state and try anon path (since OIDC
|
|
// won't apply if there's no cookie / bypass header)
|
|
}
|
|
if r.Header.Get("x-dev-bypass") != "" {
|
|
rw := &captureWriter{ResponseWriter: w}
|
|
oidc(next).ServeHTTP(rw, r)
|
|
if rw.status != http.StatusUnauthorized {
|
|
return
|
|
}
|
|
}
|
|
// Anonymous — call next with no Caller attached.
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// requireAnyAuthChain: 401 if neither agent nor user auth succeeds.
|
|
func requireAnyAuthChain(db *sqlx.DB, cfg *config.Config) func(http.Handler) http.Handler {
|
|
agent := auth.AgentAPIKey(db, cfg.AgentAPIKeyPepper)
|
|
oidc := auth.OIDCBrowser(cfg.IsDev(), cfg.OIDCDevBypassToken)
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Header.Get("authorization") != "" {
|
|
rw := &captureWriter{ResponseWriter: w}
|
|
agent(next).ServeHTTP(rw, r)
|
|
if rw.status != http.StatusUnauthorized {
|
|
return
|
|
}
|
|
}
|
|
oidc(next).ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// captureWriter records the status so the optional-auth chain can
|
|
// distinguish "401 from inner middleware (try next)" from "actual
|
|
// response from handler (deliver)". Body bytes are passed through
|
|
// when status != 401.
|
|
type captureWriter struct {
|
|
http.ResponseWriter
|
|
status int
|
|
wroteHeader bool
|
|
suppressing bool
|
|
}
|
|
|
|
func (c *captureWriter) WriteHeader(s int) {
|
|
c.status = s
|
|
c.wroteHeader = true
|
|
if s == http.StatusUnauthorized {
|
|
// don't actually write — we may fall through
|
|
c.suppressing = true
|
|
return
|
|
}
|
|
c.ResponseWriter.WriteHeader(s)
|
|
}
|
|
|
|
func (c *captureWriter) Write(b []byte) (int, error) {
|
|
if c.suppressing {
|
|
// swallow; caller will fall through to next chain step
|
|
return len(b), nil
|
|
}
|
|
if !c.wroteHeader {
|
|
c.ResponseWriter.WriteHeader(http.StatusOK)
|
|
c.wroteHeader = true
|
|
}
|
|
return c.ResponseWriter.Write(b)
|
|
}
|